Last modified: January 31, 2019
Protecting the confidentiality and security of personal information is integral to the way in which MSCI Inc. and its affiliates ("MSCI", “us” or “we”) conduct business worldwide.
Generally, MSCI is the controller of any personal information that you provide to us (and for the purposes of EU General Data Protection Regulation (“GDPR”), this Privacy Notice applies when we act as the controller of personal information).
This Privacy Notice, our Cookie Notice and other legal notices listed on this website (www.msci.com) (together, with all sub-domains and other websites that we own or operate, "Website"), explains our collection, use and disclosure of personal information collected in the course of our business activities.
This Privacy Notice does not apply to information collected, stored, shared, or distributed by third-party sites. This Privacy Notice does not apply to our employees, who are covered by our internal notices, policies and procedures.
Please read this Privacy Notice carefully. The summary immediately below describes only highlights, and we encourage you to read this Privacy Notice completely. By visiting our Website you acknowledge the practices described in this Privacy Notice.
MSCI is a multinational corporation, with offices around the world. MSCI’s clients and prospects are companies, not individuals or consumers. MSCI’s vendors, service providers and consultants (together, “Vendors”) are typically companies but on occasion may be individuals.
We process personal data that comes from three sources: information you provide, information we receive from other sources, and information collected automatically.
The first category, information you provide, includes information that you provide through our Website, through our products or through our client support portals, through day-to-day interaction with us, in connection with a job search, and as a visitor to our offices. The second category, information we receive from other sources, includes information from public sources, information from our employees, and information from our clients. The last category, information we collect automatically, includes information collected when you visit our Website or use our IT systems/networks.
Where required by applicable data protection law, including the GDPR, our processing of your personal information will be justified on a lawful basis. We do not sell or rent your personal information to third parties. We share data internally among our corporate affiliates and business units in the ordinary course of our daily operations. We share personal information with our Vendors in connection with their performance of services for us, in accordance with our instructions, and subject to appropriate contractual restrictions and security and confidentiality obligations. We may be required to disclose your personal information for legal/regulatory/compliance purposes or in connection with an investigation, or if we believe it is reasonably necessary to prevent harm or loss. We may also share your personal information in connection with certain corporate events.
MSCI maintains physical, electronic and procedural safeguards that aim to protect personal information against loss, misuse, damage or modification and unauthorized access or disclosure. Highlights of MSCI’s information security program can be found on our Website at https://www.msci.com/information-security. If your personal information is transferred outside the EU/EEA/UK to other MSCI group companies or to Vendors, we will take steps to ensure that your personal information receives the same level of protection as if it remained within the EU/EEA/UK.
We send our marketing emails within the US on an opt-out basis, in accordance with the US CAN-SPAM legislation. Outside of the US, we rely on opt-in consent. We offer multiple ways to manage your email subscriptions, including an online preference center, unsubscribe mechanisms, and direct client support.
If you are a resident of the EU, EEA or UK, you have the following rights under the GDPR (collectively, “GDPR Rights”): right of access / subject access request, right of rectification, right to erasure (the “right to be forgotten”), right to restriction processing, right to data portability, right to object to processing (including profiling) based on legitimate interests and direct marketing (including profiling), and rights in relation to automated decision making and profiling. If you wish to exercise any of your GDPR Rights, please submit your request to us by completing the web form available at https://www.msci.com/gdpr-external-form. In addition, under GDPR, you have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of any alleged infringement (if you consider that the processing of your personal information infringes the GDPR).
Information You Provide
You may provide us with personal information when you communicate with us. You are responsible for providing us with accurate, complete and up-to-date information on a lawful basis.
Information you provide through day-to-day interaction with us: You may provide us with personal information through day-to-day interactions, including in-person or through various communications technologies, as necessary to develop or support our business relationship. Such relationships may include employees and other personnel of our clients and prospects, directors, vendors, consultants and other professional advisors. Personal Information here typically consists of business contact details, but could include other information appropriate to the business relationship. For example, Vendors who are individuals may also provide payment details and professional qualifications.
Information you provide through our Website: You may provide us with personal information whenever you fill out a form on our Website, for example, to ask us a question, or request that we contact you about our products and services, research or events; to subscribe to our marketing, careers or investor relations emails; to download content; to register for events; or to submit a form to exercise your GDPR Rights). The information that you provide to us may include your contact details, and any other information collected on the form to allow us to fulfil the request.
Information you provide as an employee of a client, through our products or through our client support portals: When you log in to use our products or into our client support portal, you provide us with your name, email address, username and password, and we log your product use. Your login credentials may have been created by you, or assigned to you either by MSCI or your firm with whom we have a direct contractual relationship.
Information you provide in connection with a job search: When you apply for a job through our careers portal, we collect your username and password, contact details and resume/CV. If you apply through a social media platform (e.g., LinkedIn), then depending on the platform you use, we will receive either the information contained in your online profile or the resume/CV that you submit. We also collect information that you provide to us at job fairs and during the interview process. Finally, we may require a background check as a condition of employment, where required or permitted by the applicable law of your jurisdiction. Background checks may include credit reports and criminal records, and references in relation to recruitment for specific roles.
Information We Receive from Other Sources
Information from public sources: We collect information from the public domain about individuals who work at companies with whom we are seeking to build a business relationship, for purposes of generating leads. In some cases and where permitted by law, we use third party services that perform these online searches for us. This information typically consists of business contact details.
As part of our recruitment process, we collect information from the public domain that individuals post on professional networking sites and job boards (e.g., LinkedIn).
Additionally, as part of the production of our ESG products, we collect and publish information from the public domain (e.g., public filings, websites, press releases, etc.), which may include information about the officers, directors and other senior managers of corporations that are the subject of our ESG ratings and reports. As part of our standard process, we ask the respective companies to forward the link to this Privacy Notice on to those officers and directors.
In relation to the calculation and maintenance of our equity indexes, we collect and use information from public sources about company shareholding and ownership.
Information from our employees: In furtherance of our employment relationship with our employees, our employee benefit plans and our legal, regulatory and compliance requirements, employees may provide personal information about their spouses / domestic partners, emergency contacts, dependents and other family members. Depending on the purpose, this information may include, for example, name, contact information, age, date of birth, relationship to the employee, gender, account information and social security number or other government issued identifier. This information may pertain to dependent children under the age of 16.
Information from our clients and other third parties: We receive information from our clients and prospects about their personnel for purposes of enabling access to our products, client support portal or other communications portals, and managing our business relationship. This information typically consists of business contact details and login credentials for our products, client support portal or other communications portals.
In some of our real estate products, the data submission forms that our clients submit may include limited personal information.
Information We Collect Automatically
- your domain;
- your IP address;
- your date, time and duration of your visit;
- your browser type;
- your operating system;
- your page visits;
- information from third parties;
- other information about your computer or device; and
- Internet traffic.
Email Engagement of Clients and Prospects
Our emails may include links to open attachments, visit pages on our Website, download content, launch surveys or take other actions. If you are in our client or prospect contact database, or have previously interacted with us online, then metadata in these links may enable us to identify you as the person clicking the link.
MSCI Product Usage Statistics
Where available, we collect aggregated and individually identifiable product usage data, which includes product type, login date/time, pages and features used, client accounts viewed, reports generated and other similar product metrics.
Office Visitor Use of MSCI Guest Wi-Fi
If you visit our offices and use our guest Wi-Fi, we automatically collect information about your mobile device, including IP and MAC address, and store / log your online activities. Use of our Wi-Fi is subject to our Wi-Fi Acceptable Use Policy, which you must accept to connect to our guest Wi-Fi.
We employ video surveillance (CCTV), for purposes of office access, safety and security.
Use of Personal information
How we use personal information we collect about you depends, in large part, on the purpose for which it is provided to us. The specific purposes for which we process such personal information include:
- managing our relationships with our clients and prospects, including:
- providing our products and services to our clients, prospects and others;
- using information you submit to us online for purposes of creating leads and generating sales;
- responding to your inquiries and requests, including:
- responding to your questions about our products and services, research or events;
- adding you to our email lists, including marketing, careers and investor relations (subject to your consent, where required by applicable law);
- resolving your product or other support related issues (which in some cases may involve our use of your administrative log in credentials for client support and quality cases);
- processing, evaluating and completing transactions and requests involving the Website and content available through the Website, and more generally transactions involving MSCI's products and services, research and events; and
- providing you with other information and content you have requested;
- organizing, hosting and managing events, including without limitation, handling registrations, distributing participant lists, providing reasonable accommodations (e.g., dietary requests), and using photos / videos taken at the event on our Website and other marketing materials in relation to the event;
- operating, maintaining, developing, improving and customizing our Website, including:
- the content and features accessible on our Website;
- enabling your access to and use of restricted portions of our Website, including our products, careers site, client support site and email preferences center; and
- developing, producing, operating, and maintaining our product and services;
- improving our products and services, including through the use of client satisfaction surveys and aggregated product usage data, and using product aggregated product usage data for research and analysis;
- managing our relationships with our Vendors;
- managing our relationships with our external advisors, board members, etc.;
- recruiting staff, including:
- managing our recruitment, work placement and internship processes, including considering applications for employment / placement and making offers; and
- evaluating candidates for future job opportunities (subject to your consent, where required by applicable law);
- managing our relationships with our employees, including:
- performing our obligations as employers;
- managing talent management and employee engagement programs;
- managing employee benefits; and
- complying with our legal and compliance requirements;
- managing visitor access to our offices / facilities, and protecting the safety and security of MSCI personnel, office visitors, and our offices / facilities;
- protecting the security, confidentiality and integrity of our Website, IT systems, hardware and networks, and information (including personal information of MSCI, its clients and prospects, Vendors, personnel and others);
- complying with applicable laws, rules and regulations, and in furtherance of our related internal policies, including compliance polices and records retention requirements;
- responding to your inquiries and requests that are based on legal rights that you may have (e.g., GDPR Rights); and
- managing, protecting against and investigating fraud, risk exposure, claims and other liabilities, including but not limited to violations of our contract terms or laws or regulations.
We do not track your online activities across the Internet. We do not use your personal information for automated decision making, including profiling. We do not sell or rent your personal information to third parties.
If you do not provide us with your personal information, or refuse to provide or withdraw consent (where applicable), we may not be able to perform some or all of the above-described actions
Legal Basis for Processing
Where required by applicable data protection law, including the GDPR, our processing of your personal information will be justified on a lawful basis, such as:
- the processing is necessary to perform a contract with you, or take steps to enter into a contract at your request;
- the processing is necessary for us to comply with a relevant legal obligation;
- the processing is in our legitimate interests, and our interests are not overridden by your interests, fundamental rights or freedoms; or
- you have consented to the processing.
We process personal information on the basis of our legitimate interests, unless we are performing a contract with you (or taking steps to enter into a contract with you at your request), processing to comply with a legal obligation or relying on your consent. For example, we process personal information on the basis of our legitimate interests when operating our Website; managing our relationships with our clients, prospects and Vendors; creating leads and generating sales; managing product and client support logins; IT systems monitoring and network security; building security and safety; and managing our compliance policies/legal/regulatory obligations.
Disclosure of personal information
MSCI is a multinational corporation, with offices around the globe. We share data internally among our corporate affiliates and business units in the ordinary course of our daily operations. For a current listing of our global offices, please visit the Contact Us page of our Website at: https://www.msci.com/contact-us.
We share personal information with our Vendors (or our Vendors may collect personal information directly on our behalf), in connection with their performance of services for us. For example, our Vendors assist us in conducting and managing our business; fulfilling our obligations under our agreements; managing our Website, and the content and features available on our Website; managing, providing and improving our products, research, services and client support; providing information to you and responding to your requests. Our Vendors process personal information in accordance with our instructions, and are subject to appropriate contractual restrictions and security and confidentiality obligations. Generally, the countries in which our service providers are located are the same counties in which we operate. For a current listing of our global offices, please visit the Contact Us page of our Website at https://www.msci.com/contact-us.
If you work for a client, we may provide information about your product usage to your firm with whom we have a direct contractual relationship.
If you attend our events, we may share your name in our participant list / brochure, and we may include photographs / videos taken of you at the event on our website and in our marketing materials.
We may be required to disclose your personal information to comply with any applicable legal or regulatory requirements, or where we believe that the disclosure will further an investigation of suspected or actual illegal activities; to enforce our legal rights; or if we believe it is reasonably necessary to prevent harm or loss.
We may share your personal information with third parties in connection with potential or actual sale of our company or any of our assets, or those of any affiliated company, including through mergers and acquisitions, changes of control or divestitures, or connection with bankruptcy or insolvency, in which case personal information held by us about our users may be one of the transferred assets. Where appropriate, we will take reasonable measures to require the recipient of your personal information to treat it in accordance with this Privacy Notice. MSCI reserves the right to share any information that you provide which is not deemed personal information or is not otherwise subject to contractual restrictions.
Data Transfers Outside of the EU/EEA/UK
If your personal information is transferred outside the EU/EEA/UK to other MSCI group companies or to Vendors, we will take steps to ensure that your personal information receives the same level of protection as if it remained within the EU/EEA/UK, including by entering into data transfer agreements, using the European Commission approved Standard Contractual Clauses, or by relying on certification schemes such as the EU - US Privacy Shield or other then-currently valid mechanisms for transfers. For transfers to MSCI in the US, a country that does not benefit from an adequacy decision by the European Commission, and for other transfers within the MSCI group, we have put in place European Commission approved Standard Contractual Clauses, which protect personal information transferred between MSCI entities.
If you are a resident of the EU/EEA/UK, you have a right to obtain details of the mechanism under which your personal information is transferred outside of the EU/EEA/UK by completing the web form available at https://www.msci.com/gdpr-external-form.
MSCI maintains physical, technical and organizational safeguards designed to protect personal information against unauthorized disclosure or access, and accidental or unlawful destruction, loss or alteration. Highlights of MSCI’s information security program can be found on our Website at https://www.msci.com/information-security.
While MSCI aims to safeguard and protect your personal information from unauthorized access, improper use or disclosure, unauthorized modification or unlawful destruction or accidental loss, and MSCI utilizes and maintains certain reasonable processes, systems, and technologies to do so, you acknowledge that no transmission over the Internet is completely secure or error-free, and that these processes, systems, and technologies utilized and maintained by MSCI may be subject to compromise. Accordingly, we cannot be held responsible for unauthorized or unintended access that is beyond our control.
Retention of your Personal Information
While we generally aim to retain your personal information for the period during which we have a relationship with you, there are many reasons why we may need to retain your data for longer. For example, we may need to retain your personal data if the purpose for which we collected it extends beyond the term of our relationship. We may also retain your personal information for a term that corresponds to a statute of limitations, to establish, exercise or defend legal claims, or as otherwise permitted or required by law, so that in each case we have an accurate record of your dealings with us in the event of any complaints or challenges. We may also retain your personal information for compliance or regulatory purposes, where we are required to do so in accordance with legal, regulatory, tax and/or accounting requirements, or to support a legal or regulatory process, audits, or requests or requirements of a legal or regulatory authority or other governmental entity having authority to make the request.
The Website is not for use by children under the age of 16 years. Except as described in this Privacy Notice with respect to information that employees provide to us about their beneficiaries and dependents in connection with our employment relationship with our employees and our employee benefit plans, MSCI does not knowingly collect, store, share or use the personal information of children under 16 years. If you are under the age of 16 years, please do not provide any personal information, even if prompted by the Website to do so. If you are under the age of 16 years and you have provided personal information, please ask your parent(s) or guardian(s) to notify MSCI and MSCI will take appropriate steps to delete all such personal information.
We send our marketing emails within the US on an opt-out basis, in accordance with CAN-SPAM. Outside of the US, we rely on opt-in consent.
Managing your Subscription to our email Groups
You can unsubscribe from our emails and update your communication preferences and personal information as follows
Marketing / Client Support: You can unsubscribe from our marketing emails or update your marketing preferences at any time by clicking the “unsubscribe” or “change preferences” link provided in such emails. If you work for an existing client, you can update your marketing preferences on our client support site, located at https://support.msci.com/marketing-preferences, or by contacting our client support team directly. You can also contact our client support team to update your contact information or opt out of marketing emails at any time.
Talent Network / Careers: You can unsubscribe from our Talent Network emails at any time by clicking the “unsubscribe” link provided in such emails. In addition, if you have applied for a job but did not receive an offer of employment, we may retain your job application and personal information in order to consider you for future opportunities, subject to your consent where required by applicable law. You can contact our Talent Acquisition team to update your contact information at any time.
Investor Relations: You can unsubscribe from our investor relations emails at any time by clicking the “unsubscribe” link provided in such emails. You can also opt out and update your email preferences on our Investor Relations site, located at http://ir.msci.com/login.cfm.
EU/EEA/UK Specific GDPR Rights
If you are a resident of the EU, EEA or UK, you will have the following rights under the GDPR Rights:
- Right of Access / Subject Access Request: You are entitled to request confirmation that your personal information is being processed; access to your personal information; and other supplementary information that may not be included in this Privacy Notice.
- Right of Rectification: You are entitled to have any inadequate, incomplete or incorrect personal information corrected.
- Right to Erasure (the “right to be forgotten”): You are entitled to have your personal information erased under specific circumstances, such as where you have withdrawn your consent, where you object to processing based on legitimate interests and we have no overriding legitimate grounds, or where personal information is unlawfully processed.
- Right to Restriction Processing: You have the right to restrict our processing of your personal information (that is, allow only its storage) where:
- you contest the accuracy of the personal information, until we have taken sufficient steps to correct or verify its accuracy;
- where the processing is unlawful but you do not want us to erase the personal information;
- where we no longer need your personal information for the purposes of the processing, but you require such personal information for the establishment, exercise or defence of legal claims; or
- where you have objected to processing justified on legitimate interest grounds (see below), pending verification as to whether we have compelling legitimate grounds to continue processing.
- Where your personal information is subject to restriction we will only process it with your consent, for the establishment, exercise or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest.
- Right to Data Portability: Where we are relying (as the legal basis for processing) upon your consent, or the fact that the processing is necessary to perform a contract to which you are party or to take steps at your request prior to entering a contract, and the personal information is processed by automatic means, you have the right to receive all such personal information which you have provided to us in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
- Right to Object: You have the right to object to:
- Processing (including profiling) based on legitimate interest grounds: Where we are relying upon legitimate interests to process personal information, you have the right to object to that processing. If you object, we must stop that processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or we need to process the personal information for the establishment, exercise or defence of legal claims. Where we rely upon legitimate interests as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
- Direct marketing (including profiling): You have the right to object to our use of your personal information (including profiling) for direct marketing purposes, such as when we use your personal information to invite you to our promotional events.
- Rights in Relation to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.Please note, we do not use your personal information for automated decision making, including profiling.
- You have a right to obtain details of the mechanism under which your personal information is transferred outside of the EU/EEA/UK by completing the web form available at https://www.msci.com/gdpr-external-form.
- You have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of alleged infringement, if you consider that the processing of your personal information infringes applicable law. A list of data protection supervisory authorities is available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080.
Exercising Your EU Specific GDPR Rights
If you wish to exercise any of your GDPR Rights, please submit your request to us by completing the web form available at https://www.msci.com/gdpr-external-form. Please note that a fee may be charged where laws permit. Please do not use this web form to manage your subscriptions to our email groups. Instead, please follow the instructions above.
Please do not use this form if you work for a current client or Vendor or prospective client or Vendor of MSCI and wish to have your business contact information updated. You can update that information by contacting your local MSCI representative directly.
If you are a current MSCI employee, please use the appropriate internal resources provided.
The Website may contain links to third party sites. Since MSCI does not control nor is responsible for the privacy practices of those websites, we encourage you to review the privacy policies of these third party sites. This Privacy Notice applies solely to personal information collected by our Websites or in the course of our business activities.
How to Contact Us
If you have any questions in relation to this Privacy Notice or our processing of your personal information (other than in relation to a specific GDPR Rights request), you can contact us at: MSCI Inc.
7 World Trade Center
250 Greenwich Street, 49th Floor
New York, NY 10007
Attn: Privacy Officer
Our external data protection officer for IPD Investment Property Databank GmbH and Barra International, LLC Niederlassung Deutschland is:
represented by Prof. Dr. Christoph Bauer
Große Bleichen 21
Changes to this Notice
This Privacy Notice may be changed from time to time to reflect changes in our practices concerning the collection and use of personal information. Please check back frequently to see any updates or changes to this Privacy Notice.